x0rz @x0rz@mastodon.social

Tweets are automatically forwarded from https://twitter.com/x0rz

Interesting investigation here: reverse engineering dropped raspberry pi zeros hidden behind trash cans in a college library https://www.youtube.com/watch?v=UeAKTjx_eKA #reverseengineering #linux #firmware

Weird Gmail bug: "You can force an email to enter someone’s Gmail Inbox, Sent folder, and in:sent filter by adding their own email to the From field’s name area (the part in quotes)" https://blog.cotten.io/hacking-gmail-with-weird-from-fields-d6494254722f #phishing

Tiny brain: use an antivirus
Normal brain: use latest Windows with hardened rules and good infosec hygiene
Universe brain: https://www.theguardian.com/world/2018/nov/15/japan-cyber-security-ministernever-used-computer-yoshitaka-sakurada cc @taviso @Sh1ttyKids 😂

TIL you could bruteforce fingerprints 🤯 https://arxiv.org/pdf/1705.07386.pdf (PDF) #biometric #security https://t.co/djhJ0efOhx

(FR) Câbles sous-marins : la guerre invisible - Le Dessous des cartes https://www.youtube.com/watch?v=qkkEMg_pWp0

#GDPR compliance in a nutshell 😂 https://t.co/7n7b9oqIqX

This is probably very useful for SOC/CERT monitoring Windows command line executions https://github.com/chenerlich/FCL #threatintel #detection #DFIR

Apple T2 Security Chip Overview https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf (PDF) #apple #security https://t.co/QvwjU77ZdW

Lockcoin: a secure and privacy-preserving mix service for bitcoin anonymity https://arxiv.org/pdf/1811.04349.pdf (PDF) #bitcoin #privacy https://t.co/lnzmuLm3WG

#ePrivacy, I sure hope this doesn't mean Enterprise Privacy 😂😭

"enterprise-grade encryption"

ie. plaintext

tl;dr: eTLS makes it possible for your {company|ISP|proxy} to decipher your communications, ETSI paper https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf (PDF)

"eTLS, defined in TS 103 523-3, specifies an implementation variant of TLS 1.3. This variant is needed because TLS 1.3 removes support for certain key exchange methods, which prevents passive decryption of TLS 1.3 sessions at any scale" https://www.etsi.org/news-events/news/1358-2018-11-press-etsi-releases-standards-for-enterprise-security-and-data-centre-management

Phishing Catcher is now using the latest certstream version (1.10), thanks Gijutsu for the PR https://github.com/x0rz/phishing_catcher #phishing #OSINT

Interesting automatic XSS detection tool https://github.com/s0md3v/XSStrike #XSS #pentest https://t.co/oS5MBHDwrT

Some major French websites haven't fixed their basic XSS 🙄 (publicly available on @openbugbounty h/t @sS55752750) cc @lequipe @le_figaro @allocine @free @ANSSI_FR https://t.co/JqYVuku4Ko

The book was really ahead of its time: cyber espionage, sabotage, Nobody-But-Us (NOBUS) strategy, economic warfare and romance in the cold war era. Everything is in there, get your hands on it if you can (original in French)

It actually adds a VPN profile (for iOS) but will only redirect DNS (it seems) to their servers.
Too bad they're not releasing the source code for this app, adding a VPN profile seems quite sketchy (but maybe the only technical solution on iOS for this)

Cloudflare is launching it's 1.1.1.1 encrypted DNS app for iOS and Android https://blog.cloudflare.com/1-thing-you-can-do-to-make-your-internet-safer-and-faster/ #privacy

Also, funny to see the document "for Trust and Security in Cyberspace" is leaking metadata!
We're quite not there yet, apparently https://t.co/DhEwcT6JAi